‘BatBadBut’ Command Injection Vulnerability Affects Multiple Programming Languages

12-May-24

The issue, named ‘BatBadBut’, exists because the Windows operating system spawns the ‘cmd exe’ process when executing batch (bat) files with the ‘CreateProcess’ function, and programming languages do not properly escape command arguments.


Most programming languages wrap the ‘CreateProcess’ function to offer a more user-friendly interface but fail to properly escape the command arguments passed to the function.


The OS cannot execute batch files without ‘cmd exe’, which “has complicated parsing rules for the command arguments, and programming language runtimes fail to escape the command arguments properly,” Flatt Security researcher RyotaK explains.


Because of this issue, an attacker who can control the command arguments section of the batch file can potentially inject commands into Windows applications.

Read More…